

Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of cl aims in the application: 

1) (Currently Amended) A method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in 
a database coupled to said computer; 

b. for at least one risk element, identifying one or more control 
procedures asGociatcd with e ach as a means for mitigating said risk 
element; 

c. associating said one or more control procedures with said risk 
element, said control procedures being stored in said database; 

d. assigning a weight to each said control procedure; 

e. determining a compliance rating for each said control procedure; 
and 

f. calculating a compliance score, said compliance score being a 
function of said assigned weights and said compliance rating of 
said control procedures. 

2) (Original) The method of claim 1, wherein said compliance ratings 
comprise at least one rating identifying a non-fuUy compUant control procedure, said 
method further comprising the steps of: 

a. for each said control procedure having a non-fiiUy compliant »-"rV 
rating, receiving a signal indicating whether said non- fully fitOt*^ I— 
compliant rating is accepted or not accepted; and §£p 0 9 
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b. for each said non- fully compliant control procedure which is^ QOLIP 3600 

indicated as not accepted, generating an action plan. 

3) (Original) The method of claim 2 wherein said action plan include a 

target date, said method further comprising the step of calculating an expected 
compliance score for one or more future dates based on said action plan target dates. 

4) (Original) The method of claim 3 further comprising the step of tracking 
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whether said expected compliance scores have been met, said tracking including 
calculating actual compliance scores for said target dates. 

5) (Original) The method of claim 4 further comprising the step of 
displaying said expected compliance scores versus said actual compliance for said target 
dates. 

6) (Original) The method of claim 1 further comprising the step of 
associating one or more parameters with each said compliance rating. 

7) (Original) The method of claim 6 wherein said one or more parameters 
are selected from the group comprising organization, business line, process, and region. 

I 8) (Original) The method of claim 6 further comprising the step of sorting 

said compliance scores by said one or more parameters. 

9) (Original) The method of claim 8 further comprising the step of 
displaying said sorted compliance scores. 

10) (Currently Amended) A method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in 
a database coupled to said computer; 

b. identifying one or more subrisk elements associated with each said 
risk element, each said subrisk element being stored in said 
database; 

c. for at least one subrisk element, identifying one or more control 
procedures associat e d with e ach as a means for mitigating said 
subrisk element; 

d. associating said one or more control procedures with said risk 
element, said control procedures being stored in said database; 

e. assigning a weight to each said control procedure; 
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f. determining a compliance rating for each said control procedure, 
said compliance ratings including a plurality of categories 
including at least one category indicating said control procedure is 
not fully compliant; 

g. calculating a compliance score, said compliance score being a 
function of said assigned weights and said comphance rating of 
said control procedures; 

h. for each said subrisk, determining whether at least one control 
procedure associated with said subrisk is not fully compliant; 

i. for each said subrisk associated with at least one control procedure 
which is not fully compliant, receiving a signal indicating whether 
said subrisk should be accepted or not accepted; and 

j. for each said subrisk which is indicated as not accepted, 
generating an action plan. 

1 1) (Original) The method of claim 10 wherein said action plan further 
includes a target date, said method further comprising the step of calculating a 
future compliance score based on said action plan target dates. 

12) (Original) The method of claim 10 further comprising the step of 
associating one or more parameters with each said compliance rating. 

13) (Original) The method of claim 12 further comprising the step of sorting 
said compliance ratings and displaying said sorted ratings. 

14) (Currently Amended) A method of forecasting risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in 
a database coupled to said computer; 

b. for at least one risk element, identifying one or more control 
procedures associat e d with each as a means for mitigating said risk 
element; 

c. associating said one or more control procedures with said risk 
element , said control procedures being stored in said database; 

d. assigning a weight to each said control procedure; 
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e. determining a compliance rating for each said control procedure, 
said compliance ratings chosen from a set of ratings including at 
least one rating identifying a non-fully compliant control procedure 
and at least one rating identifying fully compliant control 
procedures; 

f for each said control procedure having a non-fully compliant 

rating, generating an action plan, said action plan including a target 
date for at least one action listed therein; and 

g. calculating an expected compliance score for a future date, said 
expected compliance score being a function of said assigned 
weights, said fully compliant control procedures, and said action 
plan target dates for said non-fully compliant control procedures. 

15) (Original) The method of claim 14 wherein said action plan comprises a 
signal indicating whether said non-fully compliant rating is accepted or not accepted, said 
expected compliance score further being a function of said non-fully compliant ratings 
which have been accepted. 

16) (Currently Amended) A data processing system for managing risk, said 
system comprising: 

a. a database; 

b. a processor coupled to said database, said processor being 
programmed to perform the steps comprising: 

i. receiving a first signal identifying a set of risk elements, 
said risk elements being stored in said database; 

ii. receive a second signal identifying one or more control 
procedures associated with each said risk element , said 
control procedure comprising a means to mitigate said risk 
element , said control procedures being stored in said 
database; 

iii. receive a third signal assigning a weight to each said 
control procedure, said weight being stored said database; 
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iv. receive a fourth signal identifying a compliance rating for 

each said control procedure; and 
V. calculate a compliance score, said compliance score being a 

function of said assigned weights and said compliance 

rating of said control procedures. 

17) (Original) The data processing system of claim 16, wherein said 
compliance ratings comprise at least one rating identifying a non-fuUy compliant control 
procedure, said processor being further programmed to perform the steps comprising: 

a. for each said control procedure having a non-fully compliant 
rating, receiving a signal indicating whether said non-fiiUy 
compliant rating is accepted or not accepted; 

b. for each said non-fully compliant control procedure which is 
indicated as not accepted, receiving an action plan, said action plan 
including an expected target date for implementation and an 
expected compliance rating; and 

c. generating one or more future expected compliance scores, said 
comphance scores being a function of said target dates, said assigned weights and said 
expected compliance rating of said control procedures. 

18) (Original) The data processing system of claim 16 further comprising a 
computer display coupled to said processor, said processor further being programmed to 
display said comphance scores on said computer display. 
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